Microsoft O365 Add-In "Installation failed"

Question

I have a valid and verified Add-In/manifest which passes npm run validate. I as well as hundreds of users are able to download my manifest through a link. However some users have been facing this error:

This app can't be installed. The manifest XML file isn't valid. For security reasons DTD is prohibited in this XML document. To enable DTD processing set the DtdProcessing property on XmlReaderSettings to Parse and pass the setting into XmlReaderCreate method.

In what situations can an error like this appear for some users?

Answer 1

I have actually bumped into this issue a year ago. Like @OutlookAdd-insTeam-MSFT suggested, I also believe this is related to networking, specifically to DNS.

Here's what I was able to find out, but unfortunately my client never came back and confirmed if it was useful.

(Please note that parts of the text is quoted from the sites listed at the bottom.)

Error message

Application cannot be installed. Manifest XML is not valid. For security reasons DTD is prohibited in this XML document. To enable DTD processing set the DtdProcessing property on XmlReaderSettings to Parse and pass the settings into XmlReader.Create method.

Why this happens?

When the manifest.xml is read by O365, it is being resolved via msoid.[organization_name].onmicrosoft.com and msoid.onmicrosoft.com. If this fails (due to a typo in etc.), a HTTP 404 error is invoked. At this point your ISP's DNS server should take over and offer to resolve the address according to it's CNAME record table. However, some organizations might have an additional DNS assistance in place. Once a 404 error is detected by msoid resolver service, the ISP's DNS will try to take over the DNS resolving (DNS assistance). When that fails (due to a missing CNAME record or a typo), it returns an HTML-formatted query result back to O365. It is basically HTTP 200 response which is interpreted by O365 as a successful authentication. After this O365 starts to process the HTML-formatted response as if it was the original manifest.xml. And as the HTML contains a DTD declaration in an incorrect way, you receive the error "For security reasons DTD is prohibited in this XML document".

Possible solutions:

a) Make sure DNS settings on the client's computer are set correctly.

b) Temporarily switch to another DNS server (e.g. Google DNS)

d) Turn off DNS assistance service (if applicable)

Please see the articles below for more information:

https://www.codetwo.com/kb/dtd-prohibited/

https://www.veeam.com/kb2821

http://sharepointers.blogspot.com/2017/03/connect-pnponline-for-security-reasons.html

https://learn.microsoft.com/fi-fi/office365/admin/services-in-china/purpose-of-cname?redirectSourcePath=%252fen-us%252farticle%252fWhat-s-the-purpose-of-the-Office-365-CNAME-record-for-msoid-19b67e2b-1b28-4432-8cca-394803fbdc87&view=o365-21vianet

https://blogs.msdn.microsoft.com/joerg_sinemus/2017/07/10/sharepoint-online-vanity-domain-powershell-csom-and-the-msoid-cname-record/

Answer 2

You can validate the manifest file against the XML Schema Definition (XSD) files. This will ensure that the manifest file follows the correct schema, including any namespaces for the elements you are using. If you copied elements from other sample manifests double check that you also include the appropriate namespaces. You can use an XML schema validation tool to perform this validation.

To use a command-line XML schema validation tool to validate your manifest you need:

1. Install tar and libxml, if you haven't already.
2. Run the following command. Replace XSD_FILE with the path to the manifest XSD file, and replace XML_FILE with the path to the manifest XML file.

xmllint --noout --schema XSD_FILE XML_FILE

Also, you can try to validate your manifest using the npm run validate command. See Validate an Office Add-in's manifest for more information.